Re: Microsoft Numbering System
From: Beau Monday (bmonday_at_SCC.MOBILEPHONE.NET)
Date: 09/19/03
- Previous message: Eiji James Yoshida: "Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability"
- Maybe in reply to: Mark L. Jackson: "Re: Microsoft Numbering System"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Sep 2003 13:17:54 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
This is something I have been pondering myself recently on my blog
(www.bmonday.com)
The display in Windows Update is not terribly useful, I think we can all
agree on this?
Do me a favor and load up a new Windows XP box, and then run Windows
Update. Besides the bold title with the cryptic and often-meaningless KB
number, how many of the descriptions are identical (say it with me, won't
you?):
"Security Update for [OperatingSystem] (KBnnnnnn): A security issue has
been identified that could allow an attacker to remotely compromise a
computer running MicrosoftR WindowsR and gain complete control over it.
You can help protect your computer by installing this update from
Microsoft. After you install this item, you may have to restart your
computer. Read more."
Far too many. There are 33 critical updates for a new XP system. The
majority of the are identical to the text above, except for the KB article
referenced. How is that useful?
It's far more meaningful for the description to list the overall bulletin
number, versus the individual KB article for the specific OS. Everything
on news groups list vulnerabilities by the "MS03-039" generic bulletin.
Everything on NTBUGTRAQ references the MS03-039 style of identifier.
Yet, administrators have to keep a handwritten list on-hand with the KB
articles so they can reconcile which hotfixes address which security
alerts?
Even a DATE would be SOMETHING useful on the Windows Update display, so
the admins could say "Oh, ok, that's yesterday's patch."
The differing KB articles are necessary, this is a given. But the
information provided to the administrators (and home users, don't forget!)
via Windows Update is not meaningful unless they pull up the descriptions
on each and every patch.
There is room for improvement there.
Beau Monday
-----Original Message-----
From: Alun Jones [mailto:alun@TEXIS.COM]
Sent: Thursday, September 18, 2003 7:11 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Felix Yan
> Sent: Wednesday, September 10, 2003 8:30 AM
>
> While I was downloading the patches for MS03-035, 036, 037, and 038
> from the M$ Office Update Website, I tried to figure out whether I was
> actually downloading the correct patches but I simply couldn't. The
> numbering system that M$ used in the Security Bulletin is different
> from the one used in the Knowledge Base (i.e. KBxxxxxx). So far, I
> still can't find a page in the M$ site that shows the two
> corresponding numbers for each patch.
This is because the two numbers refer to different documents, with
different contents.
> For example, the KB numbers for some of the patches are:
> - Office XP Security Patch: KB822036 (same as MS03-037: 822715?)
No. KB822036 is an overview of the Office XP patch and how to install it.
KB 822715 is, as you note, the same as the bulletin MS03-037, which is a
description of the bug, its symptoms, and links to patches for different
versions of the patch. Note that one of the links is to KB822036. Since
this bulletin affects Office 2000 as well as several other individual
products, there are links to patch information for that software - 822035,
822212, 822478, 822211.
> Can't M$ just use ONE and only ONE numbering system so that fewer
> people, like me, will get confused? This is certainly one of the many
> things that M$ needs to put some of its effort in its continuous
> improvement.
What you're asking for is that all the detailed information, for several
different products and several different downloads, should be stuck into
one massive document. I'd see that as making things _more_ confusing, not
less.
The security bulletin tells you what the general effect of the bug is,
what software is affected by it, and how critical it is. It includes a
link to more detailed information and patches for each of the software
versions affected. How is this confusing?
Alun.
~~~~
-- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | alun@texis.com. Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer. ---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ---- ---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: Eiji James Yoshida: "Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability"
- Maybe in reply to: Mark L. Jackson: "Re: Microsoft Numbering System"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
